...
Primary mentor | |
Backup mentor | |
Assigned toN/A | NA |
Abstract
Late last year, OpenMRS began collaborating with researchers from North Carolina State University (NCSU) to better secure the OpenMRS Reference Application. NCSU researchers, using cutting-edge security assessment techniques, have identified almost 300 distinct security issues. Many of those issues are relatively low-complexity, requiring one-line patches. This is a great opportunity for students who are interested in software security to get first-hand experience in the field.
...
- Experience with .jsp and/or .gsp frontend templating languages
- Basic knowledge of common web application security vulnerabilities
Examples
...
to Look Through While Preparing Your Proposal
1) Understand XSS vulnerabilities
- https://owasp.org/www-community/attacks/xss/ - Description of XSS vulnerabilities
2) Review some recent fix examples
For security reasons we can't publicly release the full NCSU report; however, you can check out these PRs for recent examples of the kinds of bugs that are being patched (and the kind of work the patches in this GSOC project entail):
- https://github.com/openmrs/openmrs-module-legacyuireporting/pull/140207 - Example of a PR patching one of the vulnerabilities identified in the report
- https://github.com/openmrs/openmrs-module-legacyui/pull/139140
- https://github.com/openmrs/openmrs-module-legacyui/pull/137139
- https://github.com/openmrs/openmrs-module-calculationlegacyui/pull/10137
- https://github.com/openmrs/openmrs-module-providermanagementcalculation/pull/43
...
- 10
- https://github.com/openmrs/openmrs-module-reportingprovidermanagement/pull/207 - Example of a PR patching one of the vulnerabilities identified in the reporthttps://owasp.org/www-community/attacks/xss/ - Description of XSS vulnerabilities43
Once you are accepted into the project, you will be added to the security team and a more detailed backlog of issues will be shared with you.
A successful proposal
A successful proposal could include a general approach to patching XSS vulnerabilities based on the examples above.